In light of the recent heartbleed flaw, I am trying to do some analysis of various systems that I connect with (email, login pages, etc). I am trying to use the OpenSSL commandline tool to verify what protocols the systems I connect with are using.
Part of the response is:
...
SSL-Session:
Protocol : TLSv1
...
Is that all I need to verify that this service is not using Openssl (particularly the buggy 1.0.1 versions)? (I am thinking that it ISN'T enough, as I connected with a server that I KNOW is using Openssl 0.9.8 and it responded with the same string as shown above.)
TLSv1 refers to the protocol TLS version 1, while openssl, NSS, GnuTLS, PolarSSL ... are implementations of the protocol. You usually cannot detect just from a normal TLS dialog which SSL implementation or which version of the implementation is running on the other side, so you better use any of the available tools for checking if the server is vulnerable.
You can try to use the -tlsextdebug
option of openssl s_client
to find out, which TLS extension the other side supports. Vulnerable versions usually show that they support the heartbeat extension, but I would not count on it. And of course fixed versions support this extension too. If support for the extension is advertised you find this in the output of openssl s_client -tlsextdebug -connect ...
:
TLS server extension "heartbeat" (id=15), len=1